Custom Auth Objects in SAP

Often a security administrator comes across requirements where the exiting authorization objects delivered by SAP is not enough.

Mostly these come during custom developments through completely new programs or enhancements to existing SAP programs.

In such situations, SAP provides us with the option of defining completely new authorization objects. The names of these customer specific objects should begin with Y or Z and can be created through the SU21 transaction. If required we can define new authorization fields as well through the transaction SU20.

In the example below, we are set to create a new authorization field and use it in a new authorization object. First we go into SU20 and select the create option from the toolbar. We create a new fields "ZBLN" which takes two possible values 'X' and ''.

The possible values for a field are controlled by the definition of the data element specified in the ABAP dictionary, in this case which is BL_D. We might create our own data elements as well through SE11 transaction.

On saving the new field we are prompted for a package for our new development. Packages are dictionary objects to group similar objects for transporting across development, quality assurance and production systems.

We if do not plant to transport the new filed we can select the local object (package $TMP) from the options.

Once the authorization field is created, its time to include it in a custom authorization object through SU21. We select the authorization class of the object and select the crate option.

(SU21 also allows us to create our own authorization classes. It' a good practice to create at least one Z or Y authorization class to include our custom authorization objects.)

TCODE:SU21